Skip to content

Update stubby to bookworm base image for newer OpenSSL #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
apschultz wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update stubby to bookworm base image for newer OpenSSL #35

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 39 additions & 31 deletions stubby/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,46 +1,53 @@
FROM debian:buster as openssl
FROM debian:bookworm AS openssl
LABEL maintainer="Matthew Vance"

ENV VERSION_OPENSSL=openssl-1.1.1k \
SHA256_OPENSSL=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 \
ENV VERSION_OPENSSL=openssl-3.3.2 \
SHA256_OPENSSL=2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281 \
SOURCE_OPENSSL=https://www.openssl.org/source/ \
OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491
# OpenSSL OMC
OPGP_OPENSSL_1=EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 \
# Richard Levitte
OPGP_OPENSSL_2=7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C \
# Matt Caswell
OPGP_OPENSSL_3=8657ABB260F056B1E5190839D9C4D26D0E604491 \
# Paul Dale
OPGP_OPENSSL_4=B7C1C14360F353A36862E4D5231C84CDDCC69C45 \
# Tomas Mraz
OPGP_OPENSSL_5=A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C \
# Tim Hudson
OPGP_OPENSSL_6=C1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD \
# Kurt Roeckx
OPGP_OPENSSL_7=E5E52560DD91C556DDBDA5D02064C53641C25E5D \
# OpenSSL
OPGP_OPENSSL_8=BA5473A2B0587B07FB27CF2D216094DFD0CB81EF

WORKDIR /tmp/src
SHELL ["/bin/bash", "-o", "pipefail", "-c"]

RUN set -e -x && \
build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
curl \
dirmngr \
gnupg \
libidn2-0-dev \
libssl-dev && \
$build_deps && \
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \
echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \
GNUPGHOME="$(mktemp -d)" && \
export GNUPGHOME && \
gpg --no-tty --keyserver keys.openpgp.org --recv-keys "$OPGP_OPENSSL" && \
gpg --no-tty --keyserver keyserver.ubuntu.com --recv-keys "$OPGP_OPENSSL_1" "$OPGP_OPENSSL_2" "$OPGP_OPENSSL_3" "$OPGP_OPENSSL_4" "$OPGP_OPENSSL_5" "$OPGP_OPENSSL_6" "$OPGP_OPENSSL_7" "$OPGP_OPENSSL_8" && \
gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \
tar xzf openssl.tar.gz && \
cd "${VERSION_OPENSSL}" && \
/bin/sh -c 'if gcc -dM -E - </dev/null | grep -q __SIZEOF_INT128__; then export ECFLAG="enable-ec_nistp_64_gcc_128"; else export ECFLAG=""; fi' && \
cd $VERSION_OPENSSL && \
./config \
-Wl,-rpath=/opt/openssl/lib \
--prefix=/opt/openssl \
--openssldir=/opt/openssl \
$ECFLAG \
-DOPENSSL_NO_HEARTBEATS \
no-weak-ssl-ciphers \
no-ssl2 \
no-ssl3 \
shared \
-fstack-protector-strong && \
--prefix=/opt/openssl \
--openssldir=/opt/openssl \
no-weak-ssl-ciphers \
no-ssl3 \
no-shared \
enable-ec_nistp_64_gcc_128 \
-DOPENSSL_NO_HEARTBEATS \
-fstack-protector-strong && \
make depend && \
make && \
nproc | xargs -I % make -j% && \
make install_sw && \
apt-get purge -y --auto-remove \
$build_deps && \
Expand All @@ -49,18 +56,18 @@ RUN set -e -x && \
/var/tmp/* \
/var/lib/apt/lists/*

FROM debian:buster as stubby
FROM debian:bookworm AS stubby
LABEL maintainer="Matthew Vance"

ENV VERSION_GETDNS=v1.7.0
ENV VERSION_GETDNS=v1.7.3

WORKDIR /tmp/src
SHELL ["/bin/bash", "-o", "pipefail", "-c"]

COPY --from=openssl /opt/openssl /opt/openssl

RUN set -e -x && \
build_deps="autoconf build-essential check cmake dh-autoreconf git libssl-dev libyaml-dev make m4" && \
build_deps="build-essential cmake dh-autoreconf git libssl-dev libyaml-dev libunbound-dev libidn2-dev make m4" && \
debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \
${build_deps} \
ca-certificates \
Expand All @@ -78,8 +85,9 @@ RUN set -e -x && \
-DENABLE_STUB_ONLY=ON \
-DCMAKE_INSTALL_PREFIX=/opt/stubby \
-DOPENSSL_INCLUDE_DIR=/opt/openssl \
-DOPENSSL_CRYPTO_LIBRARY=/opt/openssl/lib/libcrypto.so \
-DOPENSSL_SSL_LIBRARY=/opt/openssl/lib/libssl.so \
-DOPENSSL_ROOT_DIR=/opt/openssl \
-DOPENSSL_CRYPTO_LIBRARIES=/opt/openssl/lib \
-DOPENSSL_SSL_LIBRARIES=/opt/openssl/lib \
-DUSE_LIBIDN2=OFF \
-DBUILD_LIBEV=OFF \
-DBUILD_LIBEVENT2=OFF \
Expand All @@ -88,7 +96,7 @@ RUN set -e -x && \
make && \
make install

FROM debian:buster
FROM debian:bookworm

COPY --from=openssl /opt/openssl /opt/openssl
COPY --from=stubby /opt/stubby /opt/stubby
Expand Down